GP-013 Risk management

Procedure flowchart

Purpose

To describe the procedure to control and establish the risk management of our medical devices, from its conception throughout design, development, placing into the market and post-market phase (along its life cycle), to guarantee patient safety and remove or minimise risks as much as possible.

Scope

All medical devices developed by us and all processes involved in the product's life cycle.

Responsibilities

JD-001

To approve the risk management plan and procedure.

JD-004

To prepare the risk management plan and procedure in order to develop the risk management, and record the risk analysis and the risk management report.

JD-003

To request the risk management report and evaluate it together with the JD-005 the JD-004.

JD-005

To develop and review the risk management, perform the risk analysis and evaluate the benefit/risk ratio of the risks detected.

Inputs

• UNE-EN ISO 14971:2020
• Regulation (EU) 2017/745 MDR
• ISO/TR 24971:2020
• Preclinical and clinical data.
• Risks know and foreseeable.
• Monitoring and measurements of incidents.
• Information collected from PMS and PMCF.

Outputs

• T-013-001 Risk management plan
• T-013-002 Risk management record
• T-013-003 Risk management report
• Risk acceptability.
• Acceptability of the benefit-risk ratio, included within the T-013-003 Risk management report.

Development

One risk universe, three lenses

Although this procedure aims at assessing clinical or patient safety hazards and hazardous situations leading to harms in accordance with UNE-EN ISO 14971:2020, we understand one unified risk universe viewed through three complementary lenses:

• Safety (ISO 14971 / ISO/TR 24971): clinical or patient safety hazards and hazardous situations leading to harms. Likelihood term is probability of harm given exposure.
• Usability & Human Factors (ISO 62366 + FDA HF guidance): use scenarios and potential use errors that initiate or modify sequences of events. HF validation (summative) provides empirical evidence to refine probability estimates and identify latent use errors.
• Cybersecurity (IEC 81001-5-1 + FDA 2023 Cybersecurity Guidance): threat, vulnerability and exploitability producing or amplifying hazardous situations. The likelihood construct differs: we focus on exploitability (E) of a reachable attack surface, not a direct clinical probability; exploitability then propagates into clinical probability via altered exposure, inducement of use error, or system performance degradation. Cyber risks can:
  • Create new clinical hazardous situations (e.g. corrupted diagnostic data, integrity loss).
  • Increase exposure frequency (e.g. denial-of-service causing repeated retries, workflow stress).
  • Induce or amplify use errors (e.g. confusing UI states after partial compromise).
  • Escalate severity (e.g. delayed or incorrect treatment decisions due to manipulated outputs).

ISO 14971 explicitly permits using the same risk-management process for data and systems security risks in medical devices, which is why cybersecurity is integrated into a unified table rather than handled in a separate record.

All three lenses feed a shared causal chain so security threat modeling outputs and HF summative test findings trace directly into the safety risk management file (no parallel silos).

Chain of events

The following chain of events model unifies safety, usability and cybersecurity analyses, identifying a Initiator, an Exposure an Event and an Impact:

• ▣Usability & Human Factors (ISO 62366 + FDA HF guidance)
• ▣Safety (ISO 14971 / ISO/TR 24971)
• ▣Cybersecurity (IEC 81001-5-1 + FDA 2023 Cybersecurity Guidance)

However, a more comprehensive approach considers the interplay between these domains:

This lets HF summative tests and cyber threat models plug into the same causal path used for traditional safety risk analysis.

Risk management policy

In this section, we clarify the roles and responsibilities of our senior management and our staff in the risk management process. We also describe the context for risk management as part of the overall system of internal controls and arrangements, outlining the main principles behind the risk management framework. Furthermore, we explain how acceptable risks are determined and define our criteria for risk acceptability.

Risk acceptability criteria

With the goal of providing a framework that ensures that criteria are based upon applicable national or regional regulations and relevant international standards, and taking into account available information such as the generally acknowledged state of the art and known stakeholder concerns, we define our criteria for risk acceptability.

The risk acceptability is based on an analysis of the probability of the occurrence of the harm (P) and the severity of the harm (S) in case that the patient or user is exposed to a hazard.

Severity (S)

The severity values are calculated according to the following table:

Score	Impact	Severity of product and client	Effect
5	Critical	Damage or nuisance capable of causing serious damage to the health of the user or breach of commitments or essential requirements.	Loss or degradation of primary function or death and / or non-compliance with requirements.
4	Serious	Harm or nuisance capable of causing severe or significant harm to the user or non-compliance with QMS capable of endangering compliance with essential and non-essential commitments or requirements.	Permanent impairment or irreversible injury and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence
3	Major	Damage or nuisance capable of causing minor or slight damage to the user or non-compliance with QMS capable of endangering compliance with non-essential requirements.	Injury or impairment requiring medical or surgical intervention and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence
2	Minor	Nuisance in the absence of danger to the user or small errors in the manufacturer's QMS that does not jeopardize compliance with requirements.	Temporary injury or impairment not requiring medical or surgical intervention and / or non-conformities of regulatory requirements
1	Negligible	No discernible effect or detriment to the ability to meet requirements	Inconvenience or temporary discomfort

Probability (P)

The overall probability of harm (P) is calculated as the product of two distinct components:

$$P = P_1 \times P_2$$

Where:

• $P_1$ = Probability of occurrence of the hazardous situation
• $P_2$ = Probability of the hazardous situation leading to harm

P₁: Probability of Occurrence of the Hazardous Situation

This represents how likely it is that the hazardous situation will occur during use of the device.

Score	Probability	Frequency Range	Meaning
5	Frequent	1 - 1/10	The hazardous situation is very likely to occur; expected to happen in more than 10% of cases or uses.
4	Probable	1/10 - 1/100	The hazardous situation is probable to occur; expected to happen in 1-10% of cases or uses.
3	Occasional	1/100 - 1/1000	The hazardous situation may occur occasionally; expected to happen in 0.1-1% of cases or uses.
2	Remote	1/1000 - 1/10000	The hazardous situation is unlikely but possible; expected to happen in 0.01-0.1% of cases or uses.
1	Improbable	0 - 1/10000	The hazardous situation is highly improbable but not impossible; expected to happen in less than 0.01% of cases or uses.

P₂: Probability of Hazardous Situation Leading to Harm

This represents the conditional probability that, given the hazardous situation has occurred, it will result in actual harm to the patient.

Score	Value for Our Device	Rationale
1	Always 1	Our software is a diagnostic support tool that aids healthcare professionals in diagnosis. It does not directly touch or interact with patients physically. Therefore, it cannot directly cause harm through physical interaction. Any harm pathway is indirect.

Why $P_2 = 1$ for Our Device

For diagnostic support software that does not directly interact with patients:

• The device cannot directly cause physical harm
• If a hazardous situation occurs (e.g., incorrect diagnostic information), the probability that this situation can lead to harm (through indirect pathways such as clinical decision-making) is 1 (100%)
• However, the actual harm depends on $P_1$ (how often the hazardous situation occurs) and other factors in the clinical pathway

This means:

$$P = P_1 \times 1 = P_1$$

Therefore, when calculating RPN (Risk Priority Number)

$$\text{RPN} = P_1 \times P_2 \times S = P_1 \times 1 \times S = P_1 \times S$$

Detectability (D)

When the probability of occurrence of harm cannot be estimated, the probability will be assigned in terms of detectability.

The detectability can be estimated according to the following table:

Score	Detectability	Meaning
5	Almost Certain	Detection probability <100%. Potential hazard will almost certainly be detected
4	High	Detection probability <80%. High chance that potential hazard will be detected
3	Moderate	Detection probability <50%. Moderate chance that potential hazard will be detected
2	Low	Detection probability <25%. Low chance that potential hazard will be detected
1	Remote	Detection probability <10%. Very remote chance that potential hazard will be detected

Exploitability (E)

Exploitability refers to the ease with which a potential hazard can be exploited or turned into an actual harm. It takes into account the existing vulnerabilities and the likelihood of an attacker successfully exploiting them.

Score	Exploitability	Meaning
5	Almost Certain	Exploitability <100%. Potential hazard will almost certainly be exploited
4	High	Exploitability <80%. High chance that potential hazard will be exploited
3	Moderate	Exploitability <50%. Moderate chance that potential hazard will be exploited
2	Low	Exploitability <25%. Low chance that potential hazard will be exploited
1	Remote	Exploitability <10%. Very remote chance that potential hazard will be exploited

Approach to risk control

In general terms, we pursue a strategy of reducing risk as far as possible without adversely affecting the benefit-risk ratio. This is our general approach to risk control. However, certain risks may require an approach based on reducing risk as low as reasonably practicable, or even reducing risk as low as reasonably achievable, due to the nature of the risk.

Our top management reviews the suitability of the risk management process in the management review meetings to ensure continuing effectiveness of the risk management process.

Risk acceptability

For each identified hazardous situation, we decide the risk reduction measure based on its risk level. To quantify this, we use the RPN (Risk Priority Number).

The complete formula for RPN is

$$RPN = P_1 \times P_2 \times S$$

where:

• $P_1$ = Probability of occurrence of the hazardous situation
• $P_2$ = Probability of the hazardous situation leading to harm
• $S$ = Severity of harm

However, for our diagnostic support software, P2 is always equal to 1 because the device aids in diagnosis and does not directly touch or interact with patients. Since the software cannot directly cause harm to patients, the probability that a hazardous situation leads to harm through direct device interaction is always 1 (meaning the harm pathway is solely through the occurrence of the hazardous situation, not through a direct physical interaction).

Therefore, for our device:

$$RPN = P_1 \times 1 \times S = P_1 \times S$$

As seen in the R-TF-013-002 Risk mangement record of every device, the risk estimation is the product of the severity multiplied by the probability (P1), ranging from 0 to 25. These values of probability and severity are based on technical previous experience, the state of the art and the foreseeable subjective evaluation.

As a restult, we establish three ranges of acceptability, depending on the RPN.

RPN	Acceptability
From 0 to 5	Acceptable: the risk is acceptable
From 6 to 12	As far as possible (AFAP): only acceptable if accompanied by minimization actions.
From 13 to 25	Not acceptable: a benefit-risk analysis is required.

This results in the following matrix:

PROBABILITY OF OCURRENCE	5	Acceptable		As far as possible		Not acceptable		Not acceptable		Not acceptable
	4	Acceptable		As far as possible		As far as possible		Not acceptable		Not acceptable
	3	Acceptable		As far as possible		As far as possible		As far as possible		Not acceptable
	2	Acceptable		Acceptable		As far as possible		As far as possible		As far as possible
	1	Acceptable		Acceptable		Acceptable		Acceptable		Acceptable
		1		2		3		4		5
		SEVERITY OF HARM

Evaluation and criteria for individual benefit-risk acceptability and the overall residual risk

The method to evaluate the criteria for individual benefit-risk acceptability and the overall residual risk considers the clinical benefits provided by the performance of the intended use of the medical device.

The individual residual risk acceptance follows the same criteria as the one established for the general risks, and it is indicated in the following table, and it is detailed at the corresponding R-TF-013-002 Risk management record

PROBABILITY OF OCURRENCE	FREQUENT	5	Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	PROBABLE	4	Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	OCCASIONAL	3	Acceptable		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	REMOTE	2	Acceptable		Acceptable		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis
	IMPROBABLE	1	Acceptable		Acceptable		Acceptable		Acceptable		Acceptable
			1		2		3		4		5
			NEGLIGIBLE		MINOR		MAJOR		SERIOUS		CRITICAL
			SEVERITY

Moreover, we use experts to support the evaluation of the overall residual risk, taking into consideration each of the individual residual risks, in relation to the benefits expected from the medical device under consideration. These experts have knowledge and experience with similar medical devices.

The global benefit-risk ratio is based on general acceptability of the product and evidenced by the R-TF-015-003 Clinical evaluation report (CER) and periodically revised and re-validated as shown in the Clinical Evaluation Plan (R-TF-015-001 Clinical evaluation plan (CEP)), or when new hazards are identified and they require assessment and evaluation.

A visual representation, in form of a chart, of each of the residual risks is also used, giving a graphic view of the distribution of the risks. If many of the risks are in the higher severity regions or in the higher probability regions of the risk matrix, then the distribution of the risks can indicate that the overall residual risk might not be acceptable, even if each individual risk has been judged acceptable. The results of the evaluation of the overall residual risk are documented in the R-TF-013-002 Risk Management Record.

Principles and governance

Our risk management approach reflects the following principles:

• Ensuring patient safety
• Addressing both value protection and value creation
• Ensuring that roles and responsibilities are explicit and clear
• Ensuring that the process for managing risk is fit for purpose
• Ensuring compliance with the applicable regulatory requirements
• Ensuring safety, performance and effectiveness of the medical device

And will be embedded in our governance structures as follows:

• Our top management is the responsible for the risk management policy and for making sure of the implementation of the policy.
• The top management is also responsible for defining a sound system of internal control that supports the achievement of policies, aims and objectives while safeguarding the public.
• If and when the corporate structure changes, the organisation will ensure that the top management continues to lead and take responsability for the commitment to risk management.

Commitment to risk management

Top management has the responsibility to establish and maintain an effective risk management process. We are commited to implementing an integrated risk management system in line with international reference standards, namely UNE-EN ISO 14971:2020, and guided by the following principles:

• Leadership of management: our management will provide the necessary resources and ensure that the organization works in accordance with these principles.
• Integration in management processes, especially those related to strategy and planning.
• Comprehensive and harmonized management, so that all risks are managed through a common process for identification, evaluation, and treatment.
• Continuous improvement, through periodic reviews of the management framework.

General requirements for our risk management system

Risk management process

We establish, implement, document and maintain a continuous process throughout the product lifecycle to identify the hazards and hazardous situations related to the medical device, estimate and evaluate the associated risks, control these risks, and monitor the effectiveness of the risk control measures. This process must include:

• Risk analysis
• Risk evaluation
• Risk control
• Production and post-production data

The risk management process will be integrated in all the procedures established at this QMS, especially GP-004 Vigilance System, GP-006 Non-conformities. Corrective and preventive actions, GP-007 Post-Market Surveillance and GP-014 Feedback and complaints.

We develop a risk management system based on the standard UNE-EN ISO 14971:2020.

Management responsibilities

The top management of the company:

• Ensures the availability of adequate resources, including the assignment of competent personnel, for risk management.
• Defines and documents the global risk acceptability criteria mentioned in this procedure.
• Checks the adequacy of the risk management process at planned intervals to ensure continuing effectiveness of the process (GP-002 Quality planning). Any decisions and actions taken will be documented in the T-002-004 Management review report.

Competence of staff

Staff involved in risk management will have sufficient experience, skills and knowledge to carry out the assigned tasks. The working team responsibilities will be documented in the corresponding T-005-001 Job description and they also will be described at the T-013-001 Risk management plan. Each T-013-002 Risk management record will be edited and reviewed by the people with the greatest knowledge and experience depending on the case, in relation to their knowledge of technologies, regulatory requirements, formation and others.

It is the responsibility of the JD-001 to select the responsible of each task, which are documented in each T-013-002 Risk management record, showing the name and signature of the responsible individuals.

Risk management plan

Risk management team

The risk management team establishes and documents a T-013-001 Risk management plan.

To be part of the team, it is necessary to meet the following conditions:

• To have received specific training in the application of the risk management procedure according to the applicable regulations (MDR 2017/745 and ISO 14971),
• &/or deep knowledge of the product, the manufacturing or development process, the analysis and test methods used, and basic knowledge in the medical device requirements (ISO 13485).

The team performing the risk mangement must be comprised by persons with knowledge and experience of not just risk management, but also with knowledge on the medical device, technologies involved and its use.

The responsibilities are defined at the corresponding T-005-001 Job description and the qualification for each of the components is registered in the T-005-002 Personnel card.

Risk management plan content

The minimum essential content of the T-013-001 Risk management plan, which will be reviewed every year, is:

• Scope: description of the risk management purpose and activities, identifying and describing the medical device and the life cycle phases.
• Terms and definitions: description of the most important concepts related to risk management.
• Assignment of responsibilities and authorities.
• Requirements for the review of the risk management activities.
• Criteria for risk acceptability.
• Evaluation and criteria for acceptability of the overall residual risk.
• Verification activities for the implementation and effectiveness of risk control measures.
• Collection and review of relevant production and post-market information.
• Planning of the risk management activities: relationship among the phases of the product's life cycle, the risk management activities and the related documentation.

The risk management process will be established in each phase of the product's life cycle, according to each step defined in this procedure.

Risk management record

The compnay establishes and maintains a Risk management record (T-013-002) according to the applicable requirements.

The T-013-003 Risk management record considers the following types of risks:

• Requirements risks (user, technical and regulatory)
• Product risks
• Processes risks
• Infrastructure risks
• Personnel training risks
• Safety and security characteristics (according to Annex A & F of the UNE-EN ISO 24971:2019)

Each record contains, at least:

• Hazards and hazardous situations
• Type of risk
• Risk analysis (estimation):
  • Foreseeable sequence of events
  • Harms
  • Risks
  • Parts/people affected
  • Potential causes/mechanisms of failure
• Initial risk evaluation
  • Severity (S) identification
  • Probability (P) identification, distinguishing:
    • $P_1$: Probability of occurrence of the hazardous situation
    • $P_2$: Probability of the hazardous situation leading to harm
      • Note: For our diagnostic support software, $P_2$ is always documented as 1 because the device aids in diagnosis and does not directly touch or interact with patients, meaning it cannot directly cause harm
    • P (combined): $P_1 \times P_2$ = Overall probability of harm (effectively $P_1$ for our device since $P_2$ = 1)
  • RPN (Risk Priority Number) = $S \times P$ (combined) = $S \times P_1 \times P_2 = S \times P_1 \times 1 = S \times P_1$
• Risk control
  • Control method selected option (according to UNE-EN ISO 14971:2020)
    • Inherently safe design and manufacture
    • Protective measures in the medical device itself or in the manufacturing process
    • Information for safety and, where appropriate, training to users
  • Implanted mitigation measures
  • Responsible
  • Implemented control measures verification
• Evaluation of overall residual risk
  • Severity and probability identification
  • RPN (Risk Priority Number)
  • Risk level, according to the cover of each T-013-002 Risk management record and/or the product's T-013-001 Risk management plan, its acceptability and risk level matrices:
    • Acceptable
    • AFAP (“As Far As Possible”). Review required, acceptable with current risk minimization measures.
    • Unacceptable
• Risk acceptability, according to cover of each T-013-002 Risk management record and/or the product's T-013-001 Risk management plan, its acceptability and risk level matrices:
  • Yes, acceptable
  • Pending, it is required a risk minimization action
  • No, unacceptable
• Risk minimization for residual risk:
  • Control method selected option (according to UNE-EN ISO 14971:2020)
    • Inherently safe design and manufacture
    • Protective measures in the medical device itself or in the manufacturing process
    • Information for safety and, where appropriate, training to users
    • Control method based on the combination of some or all the previous.
  • Additional control measures
• Assessment of risks arising from risk control measures
  • Yes
  • No
• Acceptability of the individual benefit-risk ratio
• Clinical validation tracking (when applicable):
  • Identification as Safety Objective (Yes/No)
  • P1 observed during clinical studies
  • Date of clinical validation
  • Reference to clinical study or report

The risk acceptability value for residual risks is documented in the correponding section of this procedure, and it will be based on a specific matrix where the harm probability and severity are related.

Safety Objectives Tracking

Residual risks identified as Safety Objectives require additional fields for clinical validation tracking. These fields allow comparison between estimated probability (P1) and observed clinical occurrence rates, ensuring continuous validation of risk assessments through real-world evidence.

In case of having more than one product, we will identify the specific product as part of the file name. For example, for product 1 and product 2, the name of the files will be:

• TF-R-013-002_Risk Management Record_Product 1 name_YYYY_nnn
• TF-R-013-002_Risk Management Record_Product 2 name_YYYY_nnn

Currently, we only develop and manufacture a single product.

The T-013-002 Risk management records will have a color code to identify:

• Risk level
• Risk acceptability
• Benefit-risk analysis

These colors are:

• Red color: unacceptable.
• Yellow color: AFAP (As Far As Possible), acceptable with current risk minimization measures.
• Green color: acceptable.

Risk analysis

Risk analysis process

The risk analysis process must be done for each medical device, specifying the risk directly associated with each product and the related processes.

The risk analysis plan consists in:

• Description of the product and its intended use (Technical File and Risk Management Plan).
• Identification of known and foreseeable hazards (Risk Management Records).
• Risk estimation for each hazard (Risk Management Records).

The people involved in each risk analysis record are named at the signature meaning section, identifying the responsibility and assigned task.

Finally, each responsible signs the document according to GP-001 Documents and records control.

Intended use and reasonably foreseeable misuse

The medical device intended use is documented in the Technical File and in the T-013-001 Risk management plan considering the intended medical indication, the patient population, the user profile, the use environment and the operating principle.

Likewise, the company documents the product reasonably foreseeable misuse in the T-013-002 Risk management record.

Identification of characteristics related to safety

The qualitative and quantitative characteristics that could affect the safety of the medical device and, when applicable, the limits of these characteristics are documented in the Technical File T-013-003 Risk management report.

Identification of hazards and hazardous situations

The identification of known and foreseeable hazards based on the intended use, the reasonably foreseeable misuse and the characteristics related to safety of the medical device, is documented in each T-013-002 Risk management record, in the column named “HAZARD AND HAZARDOUS SITUATION”, under normal conditions of use and failure conditions.

It will be based on a previous analysis documented in the T-013-001 Risk management plan.

Risk estimation

For each identified hazardous situation, we estimate the associated risk value using the rationale and the formula explained in the Risk Management Policy section. The risk estimation is registered for each risk at the T-013-002 Risk management record.

Risk evaluation

Risk level

For each identified hazardous situation, we decide the risk reduction needed based on its risk level. We define the risk level using the rationale and the formula explained in the Risk Management Policy section. This information will be registered in the T-013-001 Risk management plan and in the glossary of each T-013-002 Risk management Record.

Risk acceptability

We define the risk level using the rationale and the formula explained in the Risk Management Policy section.

Risk control

Risk mitigation

When a risk reduction is required, the following actions to mitigate or eliminate the risk developed should be taken.

Risk control option

To reduce the risks to an acceptable level, we determine a set of risk control measures that may be appropiate for each risk. In order of priority, the actions to be taken must be grouped as:

• Inherently safe design and manufacture or intrinsically safe design and construction as defined on Annex A of the standard UNE-CEN ISO/TR 24971:2020: to eliminate a particular hazard, reduce the probability of occurrence of the harm or reduce the severity of the harm. This includes improvements of the characteristics such as precision, reliability, automation of stages prone to mistakes, ease of use, or others. We apply a FMEA (Failure Mode and Effects Analysis) method to identify steps to prevent nonconforming products.
• Protective measures in the medical device or in the manufacturing process: if improvements in the manufacturing process are not feasible, additional controls may be required, such as inspection of input materials, in-process testing, reference materials to ensure metrological traceability, or final testing.

As well as that, we also consider:

• Information for safety and, where appropriate, training to users, such as instructions, warnings and other specific information (descriptive means).

Keep in mind

Information for safety is not a control option, since chapter III of annex I of MDR 2017/745 specifies that users must be informed about residual risks, so additional risk reduction should not be attributed to the information provided to users (annex A of the standard UNE-CEN ISO/TR 24971:2020).

Verification activities

Regarding verification activities, two different verifications activities are required by the harmonized standard UNE-EN ISO 14971:2020. The main differences between them are explained in this table:

	Verification of Implementation of Risk Control Measures	Verification of Effectiveness of Risk Control Measures
Definition	Confirm that the risk control has been implemented as specified in the design.	Confirm that the risk control actually reduces the identified risk to an acceptable level.
Relevant Standard (ISO 14971)	Clause 6.2 (Risk control measures implementation) Clause 7.1 (Verification of implementation)	Clause 7.3 (Evaluation of residual risk) Clause 8 (Risk control effectiveness)
Evidence Types	- Design documents - Traceability matrix - Unit/integration test reports - Code reviews	Validation protocols or results: • Usability Report • CER • Post-Market surveillance
Timing	Phase 4	Phase 5 and Post market
Relation to Risk Management File	Confirms control is present in the system per risk management plan	Confirms residual risk is reduced and justifiable per risk-benefit analysis

The evidence for verification of implementation and effectiveness of risk control measures are collected in the R-TF-013-002 Risk Management Record, in the columns named “Implanted mitigation measure”, and also in the column "Verification of control measure" which is documented by the responsible of verifying the activity.

Verification of implementation of risk control measures

Confirm that the risk control has been implemented as specified in the design. This is done in the Phase 4 of the design.

Verification of effectiveness of risk control measures

Confirm that the risk control actually reduces the identified risk to an acceptable level. This is done in Phase 5 of the design and during the post-market.

Residual risk evaluation

Individual residual risks are evaluated by the same method and with the same criteria for risk acceptability as the initial risks. The residual risk is either acceptable or unacceptable. It specifies the new probability and severity (after the verification of the measures), corresponding to the latter residual risk assessment.

The measures are verified in relation to their effectiveness evaluating their new probability value. Typically, the severity value is considered the same than it was originally, except in concrete cases:

• When the risk responsible considers that it was assessed an extremely low value in old versions.
• When the measures taken can actually minimize the related hazard.

As a general principle, the control and minimization measures are orientated towards reducing the probability, but only in certain cases it will possible to reduce the harm severity, if it appears. When this assessment obtains an unacceptable value, we take minimization measures to reduce the risks to acceptable levels, update the actions and repeat the process of actions control.

The residual risks that should be known by the user are incorporated into the documentation provided to the user together with the product.

Benefit-risk analysis

We carry out an assessment of the global benefit-risk analysis, documenting it in the T-013-003 Risk management report.

Additionally, in order to analyze each individual risk according to annex A of the standard UNE-CEN ISO/TR 24971:2020, at the T-013-002 Risk Management Record we evaluate the acceptability of clinical benefit in comparison with their risks at the end of each risk.

Each risk documented in the T-013-002 Risk Management Record will be assessed in relation to the previous experience, the state of the art, the harmonized standards, and the preclinical and clinical data.

Each individual risk will be analyzed in comparison with the benefit-risk ratio acceptability matrix, developed in the T-013-001 Risk management plan, analyzing its specific probability, severity and resultant risk value.

Benefit-risk acceptability

PROBABILITY OF OCURRENCE	FREQUENT	5	Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	PROBABLE	4	Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	OCCASIONAL	3	Acceptable		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Not acceptable, conduct a Benefit-Risk analysis
	REMOTE	2	Acceptable		Acceptable		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis		Consider conducting a Benefit-Risk analysis
	IMPROBABLE	1	Acceptable		Acceptable		Acceptable		Acceptable		Acceptable
			1		2		3		4		5
			NEGLIGIBLE		MINOR		MAJOR		SERIOUS		CRITICAL
			SEVERITY

Risk acceptability or rejection criterion

• No, unacceptable
• Pending, it is required a risk minimization action
• Yes, acceptable

Risk resulting from control actions

The effects of the risk control measures should be reviewed in relation to:

• The introduction of new hazards or hazardous situations.
• If the estimated risks for previously identified hazardous situations are affected by the introduction of the risk control measures.

The new risks will be managed according to the process defined in this document. When a new risk appears, the responsible creates a new entry in the T-013-002 Risk Management Record, creating a new version of the record. The new entry will have as initial probability the same value than the previous one had as “RESIDUAL RISK EVALUATION”. When the current action has not been verified, it is moved to the new entry of the record with the same action, and initial probability, for the required action verification.

Completeness of risk control

We ensure that all the risks derived from all the identified hazards are being considered. At each T-013-002 Risk Management Record, hazards and hazardous situations with their foreseeable sequence of events, harms, risks, parts/people affected and potential causes/mechanisms of failure, in every case.

The risk control measures are documented in the T-013-002 Risk Management Record, in the columns “IMPLANTED MITIGATION MEASURES” and “IMPLEMENTED CONTROL MEASURES VERIFICATION” (when they have been verified).

Evaluation of overall residual risk

After the implementation of the actions, and their verification, we decide if the risks are acceptable regarding the values defined in the T-013-001 Risk management plan.

The acceptability of the risks is related to the benefit-risk ratio. A product with a clear benefit in relation to its risks will have greater acceptable value; on the contrary, a product with a low relationship should be analyzed with a more restrictive level of acceptability.

The T-013-002 Risk Management Record show the acceptability of the risk, assessing the RPN value and benefit-risk ratio, as "acceptable", "as far as possible (AFAP)" or "not acceptable".

When the risk level is classified as AFAP, the acceptability is conditioned to a minimization measure in place. According to the risk level matrix and the benefit-risk ratio acceptability matrix, its acceptability depends on values of probability, severity and RPN (combination of them).

For the residual risks that are considered acceptable, it will be necessary to decide which residual risks to reveal and to include in the documentation for clients (IFUs, labels and any other document related to the medical device that contains technical specifications or other when it is aimed to the customers communication).

Risk management review

Before the product commercialization, we make a review of the risk management process, guaranteeing that at least:

• The Risk Management Plan has been appropriately executed.
• The overall residual risk is acceptable.
• Appropriate methods are in place to collect and review relevant production and post-production information.

This review is documented at the T-013-003 Risk management report, that must contain the following information:

• Reference to the risk analysis plan.
• Records of risk analysis performed.
• Risk evaluation.
• The overall residual risk evaluation
• Implementation and verification of established control methods
• Assessment of the acceptability of possible residual risks.

The T-013-003 Risk management report will be reviewed annually, when a new hazard is identified or when a known hazard requires the redesign of control actions. The document will be edited, revised and approved by the responsible people specified in the document itself.

Safety Objectives for Clinical Evaluation

Definition and Purpose

Safety Objectives are specific residual risks identified in the risk management file that require monitoring and validation during clinical studies. These objectives serve as a bridge between risk assessment predictions and real-world clinical evidence, ensuring that the estimated probabilities align with observed clinical outcomes.

Integration with Clinical Evaluation Plan (CEP)

Safety Objectives must be documented in the Clinical Evaluation Plan (T-015-001 Clinical evaluation plan (CEP)) and include:

• Identification of residual risks requiring clinical validation: Each Safety Objective corresponds to a specific residual risk from the T-013-002 Risk management record
• Predicted probability values (P1): The estimated probability of occurrence from the risk analysis
• Monitoring methodology: How the occurrence will be tracked during clinical studies
• Acceptance criteria: Thresholds for determining if observed probabilities align with predictions

Validation Process

During clinical evaluation, each Safety Objective undergoes validation through:

1. Data Collection: Systematic recording of occurrences during clinical studies
2. Probability Comparison: Analysis of P1 (estimated) versus P1 (observed)
3. Risk File Update: Adjustment of probability values if significant deviations are found
4. Benefit-Risk Re-evaluation: Assessment of whether the overall benefit-risk ratio remains acceptable

Example

For the residual risk "Misrepresentation of magnitude returned by the device (R-HBD)":

• P1 (estimated): 1/1000 (Remote, Score 2)
• Clinical monitoring: Track all instances where device measurements differ from reference standards
• Validation: Confirm that observed occurrence rate in clinical studies aligns with the P1 estimation

Documentation Requirements

The results of Safety Objectives validation must be documented in:

• T-015-003 Clinical evaluation report (CER): Final validation results and conclusions
• T-013-002 Risk management record: Updates to probability values based on clinical evidence
• T-007-001 Post-market clinical follow-up plan: Ongoing monitoring requirements

Production and post-production activities

Once the production process has begun, an evaluation of the production data must be carried out periodically, as well as the data obtained in accordance with the procedures GP-004 Vigilance system, GP-006 Non-conformity. Corrective and preventive actions, GP-007 Post-market surveillance and GP-014 Feedback and complaints. During this evaluation, we will determine if:

• Previously unrecognized hazards or hazardous situations are present.
• An estimated risk arising from a hazardous situation is no longer acceptable.
• The overall residual risk is no longer acceptable in relation to the benefits of the intended use.
• The generally acknowledged state of the art has changed.
• A re-evaluation should be done to check the impact on previously implemented risk management activities.
• It is necessary to implement new risk control measures.
• It is necessary to establish a different control.
• The results of this evaluation are considered an input for the review of the suitability of the risk management process by top management according to GP-002 Quality planning.

Regarding each particular medical device or family of medical devices:

• We will review each medical device risk management file and determine if reassessment of risks and/or assessment of new risks is necessary.
• If a residual risk is no longer acceptable, we will evaluate the impact on previously implemented risk control measures and we will consider it as an input for modification of the medical device.
• We will consider the need for actions regarding medical devices on the market.
• We record any decisions and actions in the risk management file.

Associated documents

• GP-002 Quality planning
• T-002-004 Management review report
• T-005-001 Job description
• T-005-002 Personnel card
• T-013-001 Risk management plan
• T-013-002 Risk Management Record
• T-013-003 Risk management report
• GP-004 Vigilance system
• GP-006 Non-conformity. Corrective and preventive actions
• GP-007 Post-market surveillance
• GP-014 Feedback and complaints
• GP-015 Clinical evaluation
• T-015-001 Clinical evaluation plan (CEP)
• T-015-003 Clinical evaluation report (CER)
• T-007-001 Post-market clinical follow-up plan

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

• Author: Team members involved
• Reviewer: JD-003
• Approver: JD-004